Powershell Reconnaissance

This post is a simple introduction to Powershell and a demonstration of a couple of useful ways it can be utilized during the information gathering stages of a pentest. All of the examples are demonstrated using Powershell version 3.0, so unless you are running Windows 8/2012 or above, you will most likely need to download the latest version from Microsoft. To check what version you are currently running, simply run the following command.

Edit: @obscuresec pointed out that you must also have the “Active Directory Module for Windows Powershell” installed/enabled to utilize the following cmdlets. You can find this module in the “Remote Server Administration Tools”, which is a separate download from Microsoft. The module is enabled through the “Programs and Features” Control Panel item.

Assuming that you will be running these commands from a local machine that isn’t joined to the domain, the first requirement for enumerating Active Directory is valid domain credentials, because any valid domain user has full “read” access to Active Directory. If your lucky, these are usually attained via brute force or possibly a compromised host on the domain. This is often the first step towards the fall of the “Domain Admin”. However you attain these credentials, use them to connect to the Active Directory service.

PS C:\Users\TrustedSec> $cred = Get-Credential

When prompted, enter the credentials, which will be saved in the “$cred” variable.

Now we can simply call the “$cred” variable when we want to query the domain service. The first command that I like to run is a query for the list of “Domain Admins”.

Hopefully this sparks your interest in Powershell and helps you on your next pentest. If you haven’t already, you should also check out Matt Graeber’s PowerSploit cmdlets. There are many incredibly useful scripts that he maintains and provides to the community for free. Happy PowerSploiting!

This entry was posted on January 22, 2014, 8:10 am and is filed under Reconnaissance, Security. You can follow any responses to this entry through RSS 2.0.
Both comments and pings are currently closed.